Privacy Act of 1974: Implementation of Exemptions; Secure Flight Records, 63706-63710 [E7-21907]

Download as PDF 63706 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations In addition, copies are available by writing or calling the individuals in the DEPARTMENT OF HOMELAND SECURITY FOR FURTHER INFORMATION CONTACT Transportation Security Administration 49 CFR Part 1507 [Docket No. TSA–2007–28972; Amendment No. 1507–3] RIN 1652–AA48 Privacy Act of 1974: Implementation of Exemptions; Secure Flight Records Transportation Security Administration, DHS. ACTION: Final rule. AGENCY: jlentini on PROD1PC65 with RULES3 SUMMARY: Following a Notice of Proposed Rulemaking (NPRM) and public comment, this rule amends the Transportation Security Administration (TSA)’s regulations by exempting a new system of records from several provisions of the Privacy Act. The Secure Flight Records system (DHS/TSA 019) includes records used as part of the watch list matching program known as Secure Flight, which implements a mandate of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and is consistent with TSA’s authority under the Aviation and Transportation Security Act (ATSA). Under the Secure Flight program, TSA would assume the current watch list matching function to the No Fly and Selectee Lists from aircraft operators. TSA is exempting DHS/TSA 019 from provisions of the Privacy Act to the extent necessary to protect the integrity of investigatory information that may be included in the system of records. DATES: Effective December 10, 2007. FOR FURTHER INFORMATION CONTACT: Peter Pietra, Director, Privacy Policy and Compliance, TSA–36, Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202–4220; facsimile (571) 227–1400; e-mail TSAPrivacy@dhs.gov; or Hugo Teufel III (703–235–0780), Chief Privacy Officer, U.S. Department of Homeland Security, Washington, DC 20528; e-mail pia@dhs.gov. SUPPLEMENTARY INFORMATION: Availability of Rulemaking Document You can get an electronic copy using the Internet by— (1) Searching the electronic Federal Docket Management System (FDMS) Web page at https://www.regulations.gov; (2) Accessing the Government Printing Office’s Web page at https:// www.gpoaccess.gov/fr/; or (3) Visiting TSA’s Security Regulations Web page at https:// www.tsa.gov and accessing the link for ‘‘Research Center’’ at the top of the page. VerDate Aug<31>2005 20:02 Nov 08, 2007 Jkt 214001 section. Make sure to identify the docket number of this rulemaking. Small Entity Inquiries The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires TSA to comply with small entity requests for information and advice about compliance with statutes and regulations within TSA’s jurisdiction. Any small entity that has a question regarding this document may contact the person listed in FOR FURTHER INFORMATION CONTACT. Persons can obtain further information regarding SBREFA on the Small Business Administration’s web page at https:// www.sba.gov/advo/laws/law_lib.html. Abbreviations and Terms Used in This Document DHS—Department of Homeland Security FBI—Federal Bureau of Investigation TSA—Transportation Security Administration Background The Privacy Act of 1974 (Privacy Act), 5 U.S.C. 552a, governs the means by which the U.S. Government collects, maintains, uses, and disseminates personally identifiable information. The Privacy Act applies to information that is maintained in a ‘‘system of records.’’ A ‘‘system of records’’ is a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. See 5 U.S.C. 552a(a)(5). An individual may request access to records containing information about him or herself. 5 U.S.C. 552a(b), (d). However, the Privacy Act authorizes Government agencies to exempt systems of records from access by individuals under certain circumstances, such as where the access or disclosure of such information would impede national security or law enforcement efforts. Exemptions from Privacy Act provisions must be established by regulation. 5 U.S.C. 552a(j), (k). TSA’s Privacy Act exemptions are found at 49 CFR part 1507. On August 23, 2007, TSA published a notice (Part III, 72 FR 48392) establishing a new Privacy Act system of records entitled Secure Flight Records (DHS/TSA 019). The Secure Flight Records system maintains records for the Secure Flight Program which carries out the requirement of section 4012(a)(1) of IRTPA (Pub. L. 08–458, PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 188 Stat. 3638, Dec. 17, 2004) and provides for TSA’s assumption from air carriers the comparison of passenger information for domestic flights to the consolidated and integrated terrorist watch list maintained by the Federal Government. Section 4012(a)(2) of IRTPA similarly requires the DHS to compare passenger information for international flights to and from the United States against the consolidated and integrated terrorist watch list before departure of such flights. Further, as recommended by the 9/11 Commission, TSA may access the ‘‘larger set of watch lists maintained by the Federal Government.’’ 1 Therefore, as warranted by security considerations, TSA may use the full Terrorist Screening Database (TSDB) or other government databases, such as intelligence or law enforcement databases (referred to as ‘‘watch list matching’’). For example, TSA may obtain intelligence that flights flying a particular route may be subject to an increased security risk. Under this circumstance, TSA may decide to compare passenger information on some or all of the flights flying that route against the full TSDB or other government database. In conjunction with the establishment and publication of the Secure Flight Records system of records on August 23, 2007, TSA initiated a proposed rulemaking (Part III, 72 FR 48397) to exempt this system of records from a number of provisions of the Privacy Act because this system of records may contain records or information recompiled from, or created from, information contained in other systems of records, which are exempt from certain provisions of the Privacy Act. For these records or information only, to the extent necessary to protect the integrity of watch list matching procedures performed under the Secure Flight Program and in accordance with 5 U.S.C. 552a(j)(2) and (k)(2), TSA is claiming the following exemptions for certain records within the Secure Flight Records system: 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G) through (I), (5), and (8); (f), and (g). Discussion of Comments TSA received comments on the proposed rule from both the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC). Some of their comments dealt more generally with the Secure Flight Program and will be addressed in the final rule for the Secure Flight Program. 1 ‘‘National Commission on Terrorist Attacks Upon the United States’’, page 393. E:\FR\FM\09NOR3.SGM 09NOR3 jlentini on PROD1PC65 with RULES3 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations The remaining comments relate to the exemptions claimed for the Secure Flight Records system, which TSA has addressed below. As a preliminary matter and an overall response to the comments, TSA recognizes that although there is a need for the exemptions provided for in this document, there may be instances where such exemptions can be waived. There may be times when the Privacy Act exemptions claimed here are not necessary to further a governmental interest. In appropriate circumstances, where compliance would not appear to interfere with, or adversely affect, the law enforcement and national security purposes of the system and the overall law enforcement and security process, the applicable exemptions may be waived. 1. Applicability of Exemptions (j)(2), (k)(1), and (k)(2). EFF raised a question about TSA’s ability to use 5 U.S.C. 552a(j)(2), (k)(1), and (k)(2) as the basis for exempting the system from portions of the Privacy Act. Exemption (j)(2) applies where a system of records consists of information compiled for purposes of a criminal investigation and the system is maintained by an agency or component of the agency that performs as its principal function any activity pertaining to the enforcement of criminal laws, including efforts to prevent, control, or reduce crime, or apprehend criminals. EFF alleges that this exemption would only apply to the Secure Flight Records system if TSA believes that millions of innocent citizens are ‘‘criminal offenders or alleged offenders.’’ TSA disagrees that the Secure Flight Records system in any way suggests that the majority of individuals undergoing screening by the Secure Flight program are criminals. However, the Secure Flight system does contain records originating from the systems of records of other law enforcement and intelligence agencies, such as records obtained from the TSC of known or suspected terrorists in the Terrorist Screening Database (TSDB) and records of individuals identified on classified and unclassified governmental watch lists, which may be properly exempt from certain provisions of the Privacy Act pursuant to (j)(2). In order to ensure that agencies’ investigative or law enforcement efforts are unharmed, and information relating to DHS activities are protected from disclosure to subjects of investigations, TSA must use this exemption. However, TSA does not assert exemptions to any provision of the Privacy Act with respect to information submitted by or on behalf of individual passengers or non-travelers in the course of making a VerDate Aug<31>2005 20:02 Nov 08, 2007 Jkt 214001 reservation or seeking access to a secured area under the Secure Flight program. Exemption (k)(1) applies to records that contain information that have been officially classified in the interest of national security. EFF noted that the designated security classification in the Privacy Act system or records notice for Secure Flight Records is ‘‘[u]nclassified; Sensitive Security Information’’ and, therefore, this system could not be exempt under (k)(1). TSA appreciates the comment, and upon re-examination concludes that the system will not be likely to contain classified material. TSA will update its system of records notice to delete the assertion of an exemption under (k)(1). Exemption (k)(2) applies to investigatory material compiled for law enforcement purposes that is not otherwise covered by exemption (j)(2), provided that an individual is not denied access to a record where the agency’s maintenance of the record resulted in the individual being denied a right, privilege, or benefit to which he would otherwise be entitled. EFF alleges that Secure Flight potentially denies individuals their right to travel, so the exemption may not be invoked with respect to those individuals who have been denied this right and material in the system should be provided to them. As a preliminary matter, TSA does not believe that the Secure Flight program denies individuals their right to travel. Courts have consistently held that travelers do not have a Constitutional right to travel by a single mode or the most convenient form of travel. See for example: Town of Southold v. Town of East Hampton, 477 F.3d 38, 54 (2d Cir. 2007); Gilmore v. Gonzales, 435 F.3d 1125, 1136 (9th Cir. 2006); Miller v. Reed, 176 F.3d 1202, 1205 (9th Cir. 1999). The Secure Flight program would only regulate one mode of travel (aviation), and would not impose any restriction on other mode of travel. Therefore, a restriction on an individual’s ability to board an aircraft as a result of the Secure Flight program would not implicate a Constitutional right to travel. In addition, as noted above, information in this system may be related to investigations arising out of DHS or other agency programs and activities, and may pertain to law enforcement or national security matters. In such cases, allowing access to information could alert subjects of investigations of actual or potential criminal, civil, or regulatory violations, and could reveal, in an untimely manner, DHS’s and other agencies’ investigative interests in law PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 63707 enforcement efforts to preserve national security. Further, to the extent that an individual is denied a right, benefit, or privilege due to the maintenance of a record by TSA in this system, TSA will provide access to that record to the extent the law requires. 2. Exemption from Access and Amendment Requirements. The bulk of both EFF and EPIC’s comments constituted objections to TSA’s proposal to exempt portions of the system from 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(4)(G)–(I); and (f) which all relate to an individual’s ability to request access to and correction of records in a system of records. Both groups are concerned that the watch lists used by the Secure Flight Program contain errors and inaccuracies that lead to inconveniences and, in some cases, a loss of liberty for individuals who are placed on a watch list in error. EFF and EPIC do not believe that TSA has an adequate redress process in place, and thus, the need for access and amendment under the Privacy Act is critical. TSA claims these exemptions in order to protect information relating to investigations from disclosure to subjects of investigations and others who could interfere with investigatory activities. Specifically, the exemptions are required to: Prevent subjects of investigations from frustrating the investigative process; avoid disclosure of investigative techniques; protect the privacy of confidential sources; ensure TSA, DHS and other agencies ability to obtain information from third party and other sources; and safeguard sensitive information. Allowing amendment of these records could interfere with ongoing counterterrorism, law enforcement, or intelligence investigations and analysis activities and impose an impossible administrative burden by requiring investigations, analyses, and reports to be continuously reinvestigated and revised. The exemptions proposed here are standard law enforcement and national security exemptions exercised by Federal law enforcement and intelligence agencies. EFF and EPIC refer to the redress process, DHS Traveler Redress Inquiry Program (DHS TRIP), as ‘‘vague,’’ ‘‘discretionary,’’ ‘‘not meaningful,’’ and ‘‘Kafkaesque.’’ These assertions are simply incorrect, and are not comments upon which TSA can meaningfully act. The DHS TRIP program is a robust and effective mechanism for individuals who believe that they have been delayed or prohibited from boarding or denied entry to the airport sterile area as the result of the Secure Flight program to E:\FR\FM\09NOR3.SGM 09NOR3 jlentini on PROD1PC65 with RULES3 63708 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations seek redress and relief. With the implementation of Secure Flight, TSA believes that it will become even more effective with uniform application by the government, rather than relying on application by individual airlines. When an individual requests access to his or her information through the redress process, the request will be examined on a case by case basis, and, after conferring with the appropriate component or agency, the agency may waive applicable exemptions in appropriate circumstances where it would not appear to interfere with or adversely affect the law enforcement or national security purposes of the systems from which the information is recompiled or in which it is contained. Again, TSA shall not assert any exemption with respect to information submitted by and collected from the individual or the individual’s representative in the course of the Secure Flight Program or any redress process associated with the underlying records. 3. Exemption from Requirement to Collect Only Relevant and Necessary Information. EFF and EPIC object to TSA’s assertion of exemption authority under 5 U.S.C. 552a(e)(1) which permits the maintenance of information beyond that which is ‘‘relevant and necessary’’ to accomplish the agency’s purpose. The groups’ objection stems from their conviction that the watch lists used by Secure Flight are riddled with errors and inaccuracies. EFF states that the implementation of this exemption ‘‘will serve only to increase the likelihood that Secure Flight will become an errorfilled, invasive repository of all sorts of information bearing no relationship to its stated goals of expediting the preboarding process for travelers and improving transportation security.’’ TSA appreciates this concern and similarly seeks to ensure that data used in the watch list matching process is as thorough, accurate, and current as possible. However, TSA must exempt portions of this system from (e)(1) because it is not always possible for TSA or other agencies to know in advance what information will be relevant or necessary for it to complete an identity comparison between aviation passengers or certain nontravelers and a known or suspected terrorist. For example, for one individual hair color might be the distinguishing feature that allows TSA to distinguish him or her from someone on the watch list. For other individuals, eye color, or whether they have a tattoo may be data needed to distinguish them from someone on the watch list. For VerDate Aug<31>2005 20:02 Nov 08, 2007 Jkt 214001 these individuals, hair or eye color is relevant, but not always necessary. In addition, TSA and other agencies may not always know what information about an encounter with a known or suspected terrorist will be relevant to law enforcement for the purpose of conducting an operational response. Further, employing this exemption is not inconsistent with the principles of the Privacy Act; the drafters of the Act established exemptions to provisions like (e)(1) to avoid inappropriately limiting the ability of the Government to carry out certain functions such as law enforcement. Constraining the collection of information in the Secure Flight Records system in accordance with the ‘‘relevant and necessary’’ requirement could discourage the appropriate collection of information and impede TSA’s efforts to identify known or suspected terrorists and keep them from threatening transportation security. 4. Exemption from Requirement of Maintaining All Records Used by the Agency in Making a Determination About an Individual with Accuracy, Relevance, Timeliness, and Completeness. Section (e)(5) of the Privacy Act requires agencies to maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination. The comments received from EFF and EPIC were concerned that the quality of the watch lists used by the Secure Flight program are mediocre, and that inaccuracies in the lists coupled with exempting records from (e)(5) will lead to a loss of convenience and even liberty for those individuals who are mistakenly put on a watch list. TSA is sensitive to these concerns, however; because many of the records in this system come from other domestic and foreign agency records systems, it is not possible for TSA to ensure compliance with (e)(5). TSA is interested in eliminating erroneous and out of date information from the watch list matching process. To that end, the agency has implemented internal quality assurance procedures to ensure that data used by Secure Flight is as complete, accurate, and current as possible. In the collection of information for law enforcement, counterterrorism, and intelligence purposes, it is impossible to determine in advance what information is accurate, relevant, timely, and complete. With the passage of time, seemingly irrelevant or untimely information may PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 acquire new significance as further investigation reveals additional details. The restriction imposed by (e)(5) would hamper the ability of those agencies’ trained investigators and intelligence analysts to exercise their judgment in conducting investigations and impede the development of intelligence necessary for effective law enforcement and counterterrorism efforts. 5. Exemption from the Requirement of Judicial Review. EFF and EPIC both object to TSA’s exemption of portions of the Secure Flight system of records from 5 U.S.C. 552a(g), which grants the right to judicial review. According to EFF and EPIC, the redress process offered by TSA and DHS is ‘‘unacceptably vague’’ and ‘‘not meaningful’’ because it is too ‘‘discretionary.’’ EFF states that without the right to judicial review under the Privacy Act, it is unclear what recourse is available to an individual who has been identified as potential match through Secure Flight based on incorrect information. TSA disagrees. The redress process is effective in assisting individuals who believe they have been delayed or prohibited from boarding or denied entry to the airport sterile area, as a result of the operation of the Secure Flight program. Each separate request for redress is examined on a case by case basis, and, after conferring with the appropriate agency, the agency may waive applicable exemptions in appropriate circumstances and where it would not appear to interfere with or adversely affect the law enforcement or national security purposes of the systems from which the information is recompiled or in which it is contained. If individuals disagree with the agency’s final decision in the redress process, the Court of Appeals is the appropriate venue to contest the decision, not a suit for amendment of records under the Privacy Act. As courts have held, even for records that are not exempt from provisions of the Privacy Act, the Privacy Act may not be used as ‘‘a weapon to collaterally attack agency determinations.’’ Pellerin v. V.A., 790 F.2d 1553, 1555 (11th Cir. 1986). TSA’s exemption of portions of the Secure Flight Records system from judicial review does not impair an individual’s ability to seek redress when they believe they have been erroneously delayed or denied boarding or entry to the airport sterile area. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) requires that TSA consider the impact of paperwork and other information collection burdens imposed on the E:\FR\FM\09NOR3.SGM 09NOR3 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations public and, under the provisions of PRA section 3507(d), obtain approval from the Office of Management and Budget (OMB) for each collection of information it conducts, sponsors, or requires through regulations. TSA has determined that there are no current or new information collection requirements associated with this rule. Regulatory Evaluation Summary Changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866, Regulatory Planning and Review (58 FR 51735, October 4, 1993), directs each Federal agency to propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq., as amended by the Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996) requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Trade Agreements Act (19 U.S.C. 2531–2533) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. Fourth, the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531–1538) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation). jlentini on PROD1PC65 with RULES3 Executive Order 12866 Assessment In conducting these analyses, TSA has determined: 1. This rulemaking is not a ‘‘significant regulatory action’’ as defined in the Executive Order. Accordingly, this rule has not been reviewed by the Office of Management and Budget (OMB). Nevertheless, TSA has reviewed this rulemaking and concluded that there will not be any significant economic impact. 2. This rulemaking would not have a significant impact on a substantial number of small entities. 3. This rulemaking would not constitute a barrier to international trade. 4. This rulemaking does not impose an unfunded mandate on state, local, or tribal governments, or on the private sector. These analyses, available in the docket, are summarized below. VerDate Aug<31>2005 20:02 Nov 08, 2007 Jkt 214001 Regulatory Flexibility Act The Amendments The Regulatory Flexibility Act (RFA) of 1980 requires that agencies perform a review to determine whether a proposed or final rule will have a significant economic impact on a substantial number of small entities. If the determination is that it will, the agency must prepare a regulatory flexibility analysis as described in the RFA. For purposes of the RFA, small entities include small businesses, not-for-profit organizations, and small governmental jurisdictions. Individuals and States are not included in the definition of a small entity. This final rule exempts records in the Secure Flight Records system of records from certain provisions of the Privacy Act. TSA certifies that this rulemaking will not have a significant economic impact on a substantial number of small entities. Further, the exemptions to the Privacy Act apply to individuals, and individuals are not covered entities under the RFA. 63709 I International Trade Impact Assessment This rulemaking will not constitute a barrier to international trade. The exemptions relate to criminal investigations and agency documentation and, therefore, do not create any new costs or barriers to trade. Executive Order 13132, Federalism TSA has analyzed this final rule under the principles and criteria of Executive Order 13132, Federalism. We determined that this action will not have a substantial direct effect on the States, or the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, does not have federalism implications. Environmental Analysis TSA has reviewed this action for purposes of the National Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321–4347) and has determined that this action will not have a significant effect on the human environment. Energy Impact The energy impact of the action has been assessed in accordance with the Energy Policy and Conservation Act (EPCA), Public Law 94–163, as amended (42 U.S.C. 6362). We have determined that this rulemaking is not a major regulatory action under the provisions of the EPCA. List of Subjects in 49 CFR Part 1507 Privacy. PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 In consideration of the foregoing, the Transportation Security Administration amends part 1507 of Chapter XII, Title 49 of the Code of Federal Regulations, as follows: PART 1507—PRIVACY ACTEXEMPTIONS 1. The authority citation for part 1507 continues to read as follows: I Authority: 49 U.S.C. 114(l)(1), 40113, 5 U.S.C. 552a(j) and (k). 2. Add a new paragraph (k) to § 1507.3 to read as follows: I § 1507.3 Exemptions. * * * * * (k) Secure Flight Records. (1) Secure Flight Records (DHS/TSA 019) enables TSA to maintain a system of records related to watch list matching applied to air passengers and to non-traveling individuals authorized to enter an airport sterile area. Pursuant to 5 U.S.C. 552a(j)(2) and (k)(2), TSA is claiming the following exemptions for certain records within the Secure Flight Records system: 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G) through (I), (5), and (8); (f), and (g). (2) In addition to records under the control of TSA, the Secure Flight system of records may include records originating from systems of records of other law enforcement and intelligence agencies which may be exempt from certain provisions of the Privacy Act. However, TSA does not assert exemption to any provisions of the Privacy Act with respect to information submitted by or on behalf of individual passengers or non-travelers in the course of making a reservation or seeking access to a secured area under the Secure Flight program. (3) To the extent the Secure Flight system contains records originating from other systems of records, TSA will rely on the exemptions claimed for those records in the originating system of records. Exemptions for certain records within the Secure Flight Records system from particular subsections of the Privacy Act are justified for the following reasons: (i) From subsection (c)(3) (Accounting for Disclosures) because giving a record subject access to the accounting of disclosures from records concerning him or her could reveal investigative interest on the part of the recipient agency that obtained the record pursuant to a routine use. Disclosure of the accounting could therefore present a serious impediment to law enforcement E:\FR\FM\09NOR3.SGM 09NOR3 63710 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations jlentini on PROD1PC65 with RULES3 efforts on the part of the recipient agency because the individual who is the subject of the record would learn of third agency investigative interests and could take steps to evade detection or apprehension. Disclosure of the accounting also could reveal the details of watch list matching measures under the Secure Flight program, as well as capabilities and vulnerabilities of the watch list matching process, the release of which could permit an individual to evade future detection and thereby impede efforts to ensure transportation security. (ii) From subsection (c)(4) because portions of this system are exempt from the access and amendment provisions of subsection (d). (iii) From subsections (d)(1), (2), (3), and (4) because these provisions concern individual access to and amendment of certain records contained in this system, including law enforcement counterterrorism, investigatory and intelligence records. Compliance with these provisions could alert the subject of an investigation of the fact and nature of the investigation, and/or the investigative interest of intelligence or law enforcement agencies; compromise sensitive information related to national security; interfere with the overall law enforcement process by leading to the destruction of evidence, improper influencing of witnesses, fabrication of testimony, and/or flight of the subject; identify a confidential source or disclose information which would constitute an unwarranted invasion of another’s personal privacy; reveal a sensitive investigative or intelligence technique; or constitute a potential danger to the health or safety of law enforcement personnel, confidential informants, and witnesses. Amendment of these records would interfere with ongoing counterterrorism, law enforcement, or intelligence investigations and analysis activities and impose an impossible administrative burden by requiring investigations, analyses, and reports to be continuously reinvestigated and revised. (iv) From subsection (e)(1) because it is not always possible for TSA or other VerDate Aug<31>2005 20:02 Nov 08, 2007 Jkt 214001 agencies to know in advance what information is both relevant and necessary for it to complete an identity comparison between aviation passengers or certain non-travelers and a known or suspected terrorist. In addition, because TSA and other agencies may not always know what information about an encounter with a known or suspected terrorist will be relevant to law enforcement for the purpose of conducting an operational response. (v) From subsection (e)(2) because application of this provision could present a serious impediment to counterterrorism, law enforcement, or intelligence efforts in that it would put the subject of an investigation, study or analysis on notice of that fact, thereby permitting the subject to engage in conduct designed to frustrate or impede that activity. The nature of counterterrorism, law enforcement, or intelligence investigations is such that vital information about an individual frequently can be obtained only from other persons who are familiar with such individual and his/her activities. In such investigations, it is not feasible to rely upon information furnished by the individual concerning his own activities. (vi) From subsection (e)(3), to the extent that this subsection is interpreted to require TSA to provide notice to an individual if TSA or another agency receives or collects information about that individual during an investigation or from a third party. Should the subsection be so interpreted, exemption from this provision is necessary to avoid impeding counterterrorism, law enforcement, or intelligence efforts by putting the subject of an investigation, study or analysis on notice of that fact, thereby permitting the subject to engage in conduct intended to frustrate or impede that activity. (vii) From subsections (e)(4)(G) and (H) (Agency Requirements) and (f) (Agency Rules), because this system is exempt from the access provisions of 5 U.S.C. 552a(d). (viii) From subsection (e)(5) because many of the records in this system coming from other system of records are derived from other domestic and foreign agency record systems and therefore it PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 is not possible for TSA to ensure their compliance with this provision, however, TSA has implemented internal quality assurance procedures to ensure that data used in the watch list matching process is as thorough, accurate, and current as possible. In addition, in the collection of information for law enforcement, counterterrorism, and intelligence purposes, it is impossible to determine in advance what information is accurate, relevant, timely, and complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significance as further investigation brings new details to light. The restrictions imposed by (e)(5) would limit the ability of those agencies’ trained investigators and intelligence analysts to exercise their judgment in conducting investigations and impede the development of intelligence necessary for effective law enforcement and counterterrorism efforts. However, TSA has implemented internal quality assurance procedures to ensure that the data used in the watch list matching process is as thorough, accurate, and current as possible. (ix) From subsection (e)(8) because to require individual notice of disclosure of information due to compulsory legal process would pose an impossible administrative burden on TSA and other agencies and could alert the subjects of counterterrorism, law enforcement, or intelligence investigations to the fact of those investigations when not previously known. (x) From subsection (f) (Agency Rules) because portions of this system are exempt from the access and amendment provisions of subsection (d). (xi) From subsection (g) to the extent that the system is exempt from other specific subsections of the Privacy Act. Issued in Arlington, Virginia, on November 2, 2007. Kip Hawley, Assistant Secretary, Transportation Security Administration. John Kropf, Deputy Chief Privacy Officer, Department of Homeland Security. [FR Doc. E7–21907 Filed 11–8–07; 8:45 am] BILLING CODE 9110–05–P E:\FR\FM\09NOR3.SGM 09NOR3

Agencies

[Federal Register Volume 72, Number 217 (Friday, November 9, 2007)]
[Rules and Regulations]
[Pages 63706-63710]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-21907]



[[Page 63705]]

-----------------------------------------------------------------------

Part III





Department of Homeland Security





-----------------------------------------------------------------------



Transportation Security Administration



-----------------------------------------------------------------------



49 CFR Part 1507



Privacy Act of 1974: Implementation of Exemptions and System of 
Records; Secure Flight Records; Final Rule and Notice

Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / 
Rules and Regulations

[[Page 63706]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Part 1507

[Docket No. TSA-2007-28972; Amendment No. 1507-3]
RIN 1652-AA48


Privacy Act of 1974: Implementation of Exemptions; Secure Flight 
Records

AGENCY: Transportation Security Administration, DHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: Following a Notice of Proposed Rulemaking (NPRM) and public 
comment, this rule amends the Transportation Security Administration 
(TSA)'s regulations by exempting a new system of records from several 
provisions of the Privacy Act. The Secure Flight Records system (DHS/
TSA 019) includes records used as part of the watch list matching 
program known as Secure Flight, which implements a mandate of the 
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and is 
consistent with TSA's authority under the Aviation and Transportation 
Security Act (ATSA). Under the Secure Flight program, TSA would assume 
the current watch list matching function to the No Fly and Selectee 
Lists from aircraft operators. TSA is exempting DHS/TSA 019 from 
provisions of the Privacy Act to the extent necessary to protect the 
integrity of investigatory information that may be included in the 
system of records.

DATES: Effective December 10, 2007.

FOR FURTHER INFORMATION CONTACT: Peter Pietra, Director, Privacy Policy 
and Compliance, TSA-36, Transportation Security Administration, 601 
South 12th Street, Arlington, VA 22202-4220; facsimile (571) 227-1400; 
e-mail TSAPrivacy@dhs.gov; or Hugo Teufel III (703-235-0780), Chief 
Privacy Officer, U.S. Department of Homeland Security, Washington, DC 
20528; e-mail pia@dhs.gov.

SUPPLEMENTARY INFORMATION:

Availability of Rulemaking Document

    You can get an electronic copy using the Internet by--
    (1) Searching the electronic Federal Docket Management System 
(FDMS) Web page at https://www.regulations.gov;
    (2) Accessing the Government Printing Office's Web page at https://
www.gpoaccess.gov/fr/; or
    (3) Visiting TSA's Security Regulations Web page at https://
www.tsa.gov and accessing the link for ``Research Center'' at the top 
of the page.
    In addition, copies are available by writing or calling the 
individuals in the FOR FURTHER INFORMATION CONTACT section. Make sure 
to identify the docket number of this rulemaking.

Small Entity Inquiries

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996 requires TSA to comply with small entity requests for information 
and advice about compliance with statutes and regulations within TSA's 
jurisdiction. Any small entity that has a question regarding this 
document may contact the person listed in FOR FURTHER INFORMATION 
CONTACT. Persons can obtain further information regarding SBREFA on the 
Small Business Administration's web page at https://www.sba.gov/advo/
laws/law_lib.html.

Abbreviations and Terms Used in This Document

DHS--Department of Homeland Security
FBI--Federal Bureau of Investigation
TSA--Transportation Security Administration

Background

    The Privacy Act of 1974 (Privacy Act), 5 U.S.C. 552a, governs the 
means by which the U.S. Government collects, maintains, uses, and 
disseminates personally identifiable information. The Privacy Act 
applies to information that is maintained in a ``system of records.'' A 
``system of records'' is a group of any records under the control of an 
agency from which information is retrieved by the name of the 
individual or by some identifying number, symbol, or other identifying 
particular assigned to the individual. See 5 U.S.C. 552a(a)(5).
    An individual may request access to records containing information 
about him or herself. 5 U.S.C. 552a(b), (d). However, the Privacy Act 
authorizes Government agencies to exempt systems of records from access 
by individuals under certain circumstances, such as where the access or 
disclosure of such information would impede national security or law 
enforcement efforts.
    Exemptions from Privacy Act provisions must be established by 
regulation. 5 U.S.C. 552a(j), (k). TSA's Privacy Act exemptions are 
found at 49 CFR part 1507.
    On August 23, 2007, TSA published a notice (Part III, 72 FR 48392) 
establishing a new Privacy Act system of records entitled Secure Flight 
Records (DHS/TSA 019). The Secure Flight Records system maintains 
records for the Secure Flight Program which carries out the requirement 
of section 4012(a)(1) of IRTPA (Pub. L. 08-458, 188 Stat. 3638, Dec. 
17, 2004) and provides for TSA's assumption from air carriers the 
comparison of passenger information for domestic flights to the 
consolidated and integrated terrorist watch list maintained by the 
Federal Government. Section 4012(a)(2) of IRTPA similarly requires the 
DHS to compare passenger information for international flights to and 
from the United States against the consolidated and integrated 
terrorist watch list before departure of such flights. Further, as 
recommended by the 9/11 Commission, TSA may access the ``larger set of 
watch lists maintained by the Federal Government.'' \1\ Therefore, as 
warranted by security considerations, TSA may use the full Terrorist 
Screening Database (TSDB) or other government databases, such as 
intelligence or law enforcement databases (referred to as ``watch list 
matching''). For example, TSA may obtain intelligence that flights 
flying a particular route may be subject to an increased security risk. 
Under this circumstance, TSA may decide to compare passenger 
information on some or all of the flights flying that route against the 
full TSDB or other government database.
---------------------------------------------------------------------------

    \1\ ``National Commission on Terrorist Attacks Upon the United 
States'', page 393.
---------------------------------------------------------------------------

    In conjunction with the establishment and publication of the Secure 
Flight Records system of records on August 23, 2007, TSA initiated a 
proposed rulemaking (Part III, 72 FR 48397) to exempt this system of 
records from a number of provisions of the Privacy Act because this 
system of records may contain records or information recompiled from, 
or created from, information contained in other systems of records, 
which are exempt from certain provisions of the Privacy Act. For these 
records or information only, to the extent necessary to protect the 
integrity of watch list matching procedures performed under the Secure 
Flight Program and in accordance with 5 U.S.C. 552a(j)(2) and (k)(2), 
TSA is claiming the following exemptions for certain records within the 
Secure Flight Records system: 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), 
(3), and (4); (e)(1), (2), (3), (4)(G) through (I), (5), and (8); (f), 
and (g).

Discussion of Comments

    TSA received comments on the proposed rule from both the Electronic 
Frontier Foundation (EFF) and the Electronic Privacy Information Center 
(EPIC). Some of their comments dealt more generally with the Secure 
Flight Program and will be addressed in the final rule for the Secure 
Flight Program.

[[Page 63707]]

The remaining comments relate to the exemptions claimed for the Secure 
Flight Records system, which TSA has addressed below.
    As a preliminary matter and an overall response to the comments, 
TSA recognizes that although there is a need for the exemptions 
provided for in this document, there may be instances where such 
exemptions can be waived. There may be times when the Privacy Act 
exemptions claimed here are not necessary to further a governmental 
interest. In appropriate circumstances, where compliance would not 
appear to interfere with, or adversely affect, the law enforcement and 
national security purposes of the system and the overall law 
enforcement and security process, the applicable exemptions may be 
waived.
    1. Applicability of Exemptions (j)(2), (k)(1), and (k)(2). EFF 
raised a question about TSA's ability to use 5 U.S.C. 552a(j)(2), 
(k)(1), and (k)(2) as the basis for exempting the system from portions 
of the Privacy Act. Exemption (j)(2) applies where a system of records 
consists of information compiled for purposes of a criminal 
investigation and the system is maintained by an agency or component of 
the agency that performs as its principal function any activity 
pertaining to the enforcement of criminal laws, including efforts to 
prevent, control, or reduce crime, or apprehend criminals. EFF alleges 
that this exemption would only apply to the Secure Flight Records 
system if TSA believes that millions of innocent citizens are 
``criminal offenders or alleged offenders.'' TSA disagrees that the 
Secure Flight Records system in any way suggests that the majority of 
individuals undergoing screening by the Secure Flight program are 
criminals. However, the Secure Flight system does contain records 
originating from the systems of records of other law enforcement and 
intelligence agencies, such as records obtained from the TSC of known 
or suspected terrorists in the Terrorist Screening Database (TSDB) and 
records of individuals identified on classified and unclassified 
governmental watch lists, which may be properly exempt from certain 
provisions of the Privacy Act pursuant to (j)(2). In order to ensure 
that agencies' investigative or law enforcement efforts are unharmed, 
and information relating to DHS activities are protected from 
disclosure to subjects of investigations, TSA must use this exemption. 
However, TSA does not assert exemptions to any provision of the Privacy 
Act with respect to information submitted by or on behalf of individual 
passengers or non-travelers in the course of making a reservation or 
seeking access to a secured area under the Secure Flight program.
    Exemption (k)(1) applies to records that contain information that 
have been officially classified in the interest of national security. 
EFF noted that the designated security classification in the Privacy 
Act system or records notice for Secure Flight Records is 
``[u]nclassified; Sensitive Security Information'' and, therefore, this 
system could not be exempt under (k)(1). TSA appreciates the comment, 
and upon re-examination concludes that the system will not be likely to 
contain classified material. TSA will update its system of records 
notice to delete the assertion of an exemption under (k)(1).
    Exemption (k)(2) applies to investigatory material compiled for law 
enforcement purposes that is not otherwise covered by exemption (j)(2), 
provided that an individual is not denied access to a record where the 
agency's maintenance of the record resulted in the individual being 
denied a right, privilege, or benefit to which he would otherwise be 
entitled. EFF alleges that Secure Flight potentially denies individuals 
their right to travel, so the exemption may not be invoked with respect 
to those individuals who have been denied this right and material in 
the system should be provided to them.
    As a preliminary matter, TSA does not believe that the Secure 
Flight program denies individuals their right to travel. Courts have 
consistently held that travelers do not have a Constitutional right to 
travel by a single mode or the most convenient form of travel. See for 
example: Town of Southold v. Town of East Hampton, 477 F.3d 38, 54 (2d 
Cir. 2007); Gilmore v. Gonzales, 435 F.3d 1125, 1136 (9th Cir. 2006); 
Miller v. Reed, 176 F.3d 1202, 1205 (9th Cir. 1999). The Secure Flight 
program would only regulate one mode of travel (aviation), and would 
not impose any restriction on other mode of travel. Therefore, a 
restriction on an individual's ability to board an aircraft as a result 
of the Secure Flight program would not implicate a Constitutional right 
to travel.
    In addition, as noted above, information in this system may be 
related to investigations arising out of DHS or other agency programs 
and activities, and may pertain to law enforcement or national security 
matters. In such cases, allowing access to information could alert 
subjects of investigations of actual or potential criminal, civil, or 
regulatory violations, and could reveal, in an untimely manner, DHS's 
and other agencies' investigative interests in law enforcement efforts 
to preserve national security. Further, to the extent that an 
individual is denied a right, benefit, or privilege due to the 
maintenance of a record by TSA in this system, TSA will provide access 
to that record to the extent the law requires.
    2. Exemption from Access and Amendment Requirements. The bulk of 
both EFF and EPIC's comments constituted objections to TSA's proposal 
to exempt portions of the system from 5 U.S.C. 552a(c)(3) and (4); 
(d)(1), (2), (3), and (4); (e)(4)(G)-(I); and (f) which all relate to 
an individual's ability to request access to and correction of records 
in a system of records. Both groups are concerned that the watch lists 
used by the Secure Flight Program contain errors and inaccuracies that 
lead to inconveniences and, in some cases, a loss of liberty for 
individuals who are placed on a watch list in error. EFF and EPIC do 
not believe that TSA has an adequate redress process in place, and 
thus, the need for access and amendment under the Privacy Act is 
critical.
    TSA claims these exemptions in order to protect information 
relating to investigations from disclosure to subjects of 
investigations and others who could interfere with investigatory 
activities. Specifically, the exemptions are required to: Prevent 
subjects of investigations from frustrating the investigative process; 
avoid disclosure of investigative techniques; protect the privacy of 
confidential sources; ensure TSA, DHS and other agencies ability to 
obtain information from third party and other sources; and safeguard 
sensitive information. Allowing amendment of these records could 
interfere with ongoing counterterrorism, law enforcement, or 
intelligence investigations and analysis activities and impose an 
impossible administrative burden by requiring investigations, analyses, 
and reports to be continuously reinvestigated and revised. The 
exemptions proposed here are standard law enforcement and national 
security exemptions exercised by Federal law enforcement and 
intelligence agencies.
    EFF and EPIC refer to the redress process, DHS Traveler Redress 
Inquiry Program (DHS TRIP), as ``vague,'' ``discretionary,'' ``not 
meaningful,'' and ``Kafkaesque.'' These assertions are simply 
incorrect, and are not comments upon which TSA can meaningfully act. 
The DHS TRIP program is a robust and effective mechanism for 
individuals who believe that they have been delayed or prohibited from 
boarding or denied entry to the airport sterile area as the result of 
the Secure Flight program to

[[Page 63708]]

seek redress and relief. With the implementation of Secure Flight, TSA 
believes that it will become even more effective with uniform 
application by the government, rather than relying on application by 
individual airlines. When an individual requests access to his or her 
information through the redress process, the request will be examined 
on a case by case basis, and, after conferring with the appropriate 
component or agency, the agency may waive applicable exemptions in 
appropriate circumstances where it would not appear to interfere with 
or adversely affect the law enforcement or national security purposes 
of the systems from which the information is recompiled or in which it 
is contained. Again, TSA shall not assert any exemption with respect to 
information submitted by and collected from the individual or the 
individual's representative in the course of the Secure Flight Program 
or any redress process associated with the underlying records.
    3. Exemption from Requirement to Collect Only Relevant and 
Necessary Information. EFF and EPIC object to TSA's assertion of 
exemption authority under 5 U.S.C. 552a(e)(1) which permits the 
maintenance of information beyond that which is ``relevant and 
necessary'' to accomplish the agency's purpose. The groups' objection 
stems from their conviction that the watch lists used by Secure Flight 
are riddled with errors and inaccuracies. EFF states that the 
implementation of this exemption ``will serve only to increase the 
likelihood that Secure Flight will become an error-filled, invasive 
repository of all sorts of information bearing no relationship to its 
stated goals of expediting the pre-boarding process for travelers and 
improving transportation security.'' TSA appreciates this concern and 
similarly seeks to ensure that data used in the watch list matching 
process is as thorough, accurate, and current as possible. However, TSA 
must exempt portions of this system from (e)(1) because it is not 
always possible for TSA or other agencies to know in advance what 
information will be relevant or necessary for it to complete an 
identity comparison between aviation passengers or certain non-
travelers and a known or suspected terrorist. For example, for one 
individual hair color might be the distinguishing feature that allows 
TSA to distinguish him or her from someone on the watch list. For other 
individuals, eye color, or whether they have a tattoo may be data 
needed to distinguish them from someone on the watch list. For these 
individuals, hair or eye color is relevant, but not always necessary. 
In addition, TSA and other agencies may not always know what 
information about an encounter with a known or suspected terrorist will 
be relevant to law enforcement for the purpose of conducting an 
operational response. Further, employing this exemption is not 
inconsistent with the principles of the Privacy Act; the drafters of 
the Act established exemptions to provisions like (e)(1) to avoid 
inappropriately limiting the ability of the Government to carry out 
certain functions such as law enforcement. Constraining the collection 
of information in the Secure Flight Records system in accordance with 
the ``relevant and necessary'' requirement could discourage the 
appropriate collection of information and impede TSA's efforts to 
identify known or suspected terrorists and keep them from threatening 
transportation security.
    4. Exemption from Requirement of Maintaining All Records Used by 
the Agency in Making a Determination About an Individual with Accuracy, 
Relevance, Timeliness, and Completeness. Section (e)(5) of the Privacy 
Act requires agencies to maintain all records which are used by the 
agency in making any determination about any individual with such 
accuracy, relevance, timeliness, and completeness as is reasonably 
necessary to assure fairness to the individual in the determination. 
The comments received from EFF and EPIC were concerned that the quality 
of the watch lists used by the Secure Flight program are mediocre, and 
that inaccuracies in the lists coupled with exempting records from 
(e)(5) will lead to a loss of convenience and even liberty for those 
individuals who are mistakenly put on a watch list. TSA is sensitive to 
these concerns, however; because many of the records in this system 
come from other domestic and foreign agency records systems, it is not 
possible for TSA to ensure compliance with (e)(5). TSA is interested in 
eliminating erroneous and out of date information from the watch list 
matching process. To that end, the agency has implemented internal 
quality assurance procedures to ensure that data used by Secure Flight 
is as complete, accurate, and current as possible. In the collection of 
information for law enforcement, counterterrorism, and intelligence 
purposes, it is impossible to determine in advance what information is 
accurate, relevant, timely, and complete. With the passage of time, 
seemingly irrelevant or untimely information may acquire new 
significance as further investigation reveals additional details. The 
restriction imposed by (e)(5) would hamper the ability of those 
agencies' trained investigators and intelligence analysts to exercise 
their judgment in conducting investigations and impede the development 
of intelligence necessary for effective law enforcement and 
counterterrorism efforts.
    5. Exemption from the Requirement of Judicial Review. EFF and EPIC 
both object to TSA's exemption of portions of the Secure Flight system 
of records from 5 U.S.C. 552a(g), which grants the right to judicial 
review. According to EFF and EPIC, the redress process offered by TSA 
and DHS is ``unacceptably vague'' and ``not meaningful'' because it is 
too ``discretionary.'' EFF states that without the right to judicial 
review under the Privacy Act, it is unclear what recourse is available 
to an individual who has been identified as potential match through 
Secure Flight based on incorrect information. TSA disagrees. The 
redress process is effective in assisting individuals who believe they 
have been delayed or prohibited from boarding or denied entry to the 
airport sterile area, as a result of the operation of the Secure Flight 
program. Each separate request for redress is examined on a case by 
case basis, and, after conferring with the appropriate agency, the 
agency may waive applicable exemptions in appropriate circumstances and 
where it would not appear to interfere with or adversely affect the law 
enforcement or national security purposes of the systems from which the 
information is recompiled or in which it is contained. If individuals 
disagree with the agency's final decision in the redress process, the 
Court of Appeals is the appropriate venue to contest the decision, not 
a suit for amendment of records under the Privacy Act. As courts have 
held, even for records that are not exempt from provisions of the 
Privacy Act, the Privacy Act may not be used as ``a weapon to 
collaterally attack agency determinations.'' Pellerin v. V.A., 790 F.2d 
1553, 1555 (11th Cir. 1986). TSA's exemption of portions of the Secure 
Flight Records system from judicial review does not impair an 
individual's ability to seek redress when they believe they have been 
erroneously delayed or denied boarding or entry to the airport sterile 
area.

Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) 
requires that TSA consider the impact of paperwork and other 
information collection burdens imposed on the

[[Page 63709]]

public and, under the provisions of PRA section 3507(d), obtain 
approval from the Office of Management and Budget (OMB) for each 
collection of information it conducts, sponsors, or requires through 
regulations. TSA has determined that there are no current or new 
information collection requirements associated with this rule.

Regulatory Evaluation Summary

    Changes to Federal regulations must undergo several economic 
analyses. First, Executive Order 12866, Regulatory Planning and Review 
(58 FR 51735, October 4, 1993), directs each Federal agency to propose 
or adopt a regulation only upon a reasoned determination that the 
benefits of the intended regulation justify its costs. Second, the 
Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq., as amended by 
the Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996) requires agencies to analyze the economic impact of regulatory 
changes on small entities. Third, the Trade Agreements Act (19 U.S.C. 
2531-2533) prohibits agencies from setting standards that create 
unnecessary obstacles to the foreign commerce of the United States. 
Fourth, the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) 
requires agencies to prepare a written assessment of the costs, 
benefits, and other effects of proposed or final rules that include a 
Federal mandate likely to result in the expenditure by State, local, or 
tribal governments, in the aggregate, or by the private sector, of $100 
million or more annually (adjusted for inflation).

Executive Order 12866 Assessment

    In conducting these analyses, TSA has determined:
    1. This rulemaking is not a ``significant regulatory action'' as 
defined in the Executive Order. Accordingly, this rule has not been 
reviewed by the Office of Management and Budget (OMB). Nevertheless, 
TSA has reviewed this rulemaking and concluded that there will not be 
any significant economic impact.
    2. This rulemaking would not have a significant impact on a 
substantial number of small entities.
    3. This rulemaking would not constitute a barrier to international 
trade.
    4. This rulemaking does not impose an unfunded mandate on state, 
local, or tribal governments, or on the private sector.
    These analyses, available in the docket, are summarized below.

Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA) of 1980 requires that agencies 
perform a review to determine whether a proposed or final rule will 
have a significant economic impact on a substantial number of small 
entities. If the determination is that it will, the agency must prepare 
a regulatory flexibility analysis as described in the RFA. For purposes 
of the RFA, small entities include small businesses, not-for-profit 
organizations, and small governmental jurisdictions. Individuals and 
States are not included in the definition of a small entity.
    This final rule exempts records in the Secure Flight Records system 
of records from certain provisions of the Privacy Act. TSA certifies 
that this rulemaking will not have a significant economic impact on a 
substantial number of small entities. Further, the exemptions to the 
Privacy Act apply to individuals, and individuals are not covered 
entities under the RFA.

International Trade Impact Assessment

    This rulemaking will not constitute a barrier to international 
trade. The exemptions relate to criminal investigations and agency 
documentation and, therefore, do not create any new costs or barriers 
to trade.

Executive Order 13132, Federalism

    TSA has analyzed this final rule under the principles and criteria 
of Executive Order 13132, Federalism. We determined that this action 
will not have a substantial direct effect on the States, or the 
relationship between the National Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government, and, therefore, does not have federalism implications.

Environmental Analysis

    TSA has reviewed this action for purposes of the National 
Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321-4347) and has 
determined that this action will not have a significant effect on the 
human environment.

Energy Impact

    The energy impact of the action has been assessed in accordance 
with the Energy Policy and Conservation Act (EPCA), Public Law 94-163, 
as amended (42 U.S.C. 6362). We have determined that this rulemaking is 
not a major regulatory action under the provisions of the EPCA.

List of Subjects in 49 CFR Part 1507

    Privacy.

The Amendments

0
In consideration of the foregoing, the Transportation Security 
Administration amends part 1507 of Chapter XII, Title 49 of the Code of 
Federal Regulations, as follows:

PART 1507--PRIVACY ACT-EXEMPTIONS

0
1. The authority citation for part 1507 continues to read as follows:

    Authority: 49 U.S.C. 114(l)(1), 40113, 5 U.S.C. 552a(j) and (k).

0
2. Add a new paragraph (k) to Sec.  1507.3 to read as follows:


Sec.  1507.3  Exemptions.

* * * * *
    (k) Secure Flight Records. (1) Secure Flight Records (DHS/TSA 019) 
enables TSA to maintain a system of records related to watch list 
matching applied to air passengers and to non-traveling individuals 
authorized to enter an airport sterile area. Pursuant to 5 U.S.C. 
552a(j)(2) and (k)(2), TSA is claiming the following exemptions for 
certain records within the Secure Flight Records system: 5 U.S.C. 
552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G) 
through (I), (5), and (8); (f), and (g).
    (2) In addition to records under the control of TSA, the Secure 
Flight system of records may include records originating from systems 
of records of other law enforcement and intelligence agencies which may 
be exempt from certain provisions of the Privacy Act. However, TSA does 
not assert exemption to any provisions of the Privacy Act with respect 
to information submitted by or on behalf of individual passengers or 
non-travelers in the course of making a reservation or seeking access 
to a secured area under the Secure Flight program.
    (3) To the extent the Secure Flight system contains records 
originating from other systems of records, TSA will rely on the 
exemptions claimed for those records in the originating system of 
records. Exemptions for certain records within the Secure Flight 
Records system from particular subsections of the Privacy Act are 
justified for the following reasons:
    (i) From subsection (c)(3) (Accounting for Disclosures) because 
giving a record subject access to the accounting of disclosures from 
records concerning him or her could reveal investigative interest on 
the part of the recipient agency that obtained the record pursuant to a 
routine use. Disclosure of the accounting could therefore present a 
serious impediment to law enforcement

[[Page 63710]]

efforts on the part of the recipient agency because the individual who 
is the subject of the record would learn of third agency investigative 
interests and could take steps to evade detection or apprehension. 
Disclosure of the accounting also could reveal the details of watch 
list matching measures under the Secure Flight program, as well as 
capabilities and vulnerabilities of the watch list matching process, 
the release of which could permit an individual to evade future 
detection and thereby impede efforts to ensure transportation security.
    (ii) From subsection (c)(4) because portions of this system are 
exempt from the access and amendment provisions of subsection (d).
    (iii) From subsections (d)(1), (2), (3), and (4) because these 
provisions concern individual access to and amendment of certain 
records contained in this system, including law enforcement 
counterterrorism, investigatory and intelligence records. Compliance 
with these provisions could alert the subject of an investigation of 
the fact and nature of the investigation, and/or the investigative 
interest of intelligence or law enforcement agencies; compromise 
sensitive information related to national security; interfere with the 
overall law enforcement process by leading to the destruction of 
evidence, improper influencing of witnesses, fabrication of testimony, 
and/or flight of the subject; identify a confidential source or 
disclose information which would constitute an unwarranted invasion of 
another's personal privacy; reveal a sensitive investigative or 
intelligence technique; or constitute a potential danger to the health 
or safety of law enforcement personnel, confidential informants, and 
witnesses. Amendment of these records would interfere with ongoing 
counterterrorism, law enforcement, or intelligence investigations and 
analysis activities and impose an impossible administrative burden by 
requiring investigations, analyses, and reports to be continuously 
reinvestigated and revised.
    (iv) From subsection (e)(1) because it is not always possible for 
TSA or other agencies to know in advance what information is both 
relevant and necessary for it to complete an identity comparison 
between aviation passengers or certain non-travelers and a known or 
suspected terrorist. In addition, because TSA and other agencies may 
not always know what information about an encounter with a known or 
suspected terrorist will be relevant to law enforcement for the purpose 
of conducting an operational response.
    (v) From subsection (e)(2) because application of this provision 
could present a serious impediment to counterterrorism, law 
enforcement, or intelligence efforts in that it would put the subject 
of an investigation, study or analysis on notice of that fact, thereby 
permitting the subject to engage in conduct designed to frustrate or 
impede that activity. The nature of counterterrorism, law enforcement, 
or intelligence investigations is such that vital information about an 
individual frequently can be obtained only from other persons who are 
familiar with such individual and his/her activities. In such 
investigations, it is not feasible to rely upon information furnished 
by the individual concerning his own activities.
    (vi) From subsection (e)(3), to the extent that this subsection is 
interpreted to require TSA to provide notice to an individual if TSA or 
another agency receives or collects information about that individual 
during an investigation or from a third party. Should the subsection be 
so interpreted, exemption from this provision is necessary to avoid 
impeding counterterrorism, law enforcement, or intelligence efforts by 
putting the subject of an investigation, study or analysis on notice of 
that fact, thereby permitting the subject to engage in conduct intended 
to frustrate or impede that activity.
    (vii) From subsections (e)(4)(G) and (H) (Agency Requirements) and 
(f) (Agency Rules), because this system is exempt from the access 
provisions of 5 U.S.C. 552a(d).
    (viii) From subsection (e)(5) because many of the records in this 
system coming from other system of records are derived from other 
domestic and foreign agency record systems and therefore it is not 
possible for TSA to ensure their compliance with this provision, 
however, TSA has implemented internal quality assurance procedures to 
ensure that data used in the watch list matching process is as 
thorough, accurate, and current as possible. In addition, in the 
collection of information for law enforcement, counterterrorism, and 
intelligence purposes, it is impossible to determine in advance what 
information is accurate, relevant, timely, and complete. With the 
passage of time, seemingly irrelevant or untimely information may 
acquire new significance as further investigation brings new details to 
light. The restrictions imposed by (e)(5) would limit the ability of 
those agencies' trained investigators and intelligence analysts to 
exercise their judgment in conducting investigations and impede the 
development of intelligence necessary for effective law enforcement and 
counterterrorism efforts. However, TSA has implemented internal quality 
assurance procedures to ensure that the data used in the watch list 
matching process is as thorough, accurate, and current as possible.
    (ix) From subsection (e)(8) because to require individual notice of 
disclosure of information due to compulsory legal process would pose an 
impossible administrative burden on TSA and other agencies and could 
alert the subjects of counterterrorism, law enforcement, or 
intelligence investigations to the fact of those investigations when 
not previously known.
    (x) From subsection (f) (Agency Rules) because portions of this 
system are exempt from the access and amendment provisions of 
subsection (d).
    (xi) From subsection (g) to the extent that the system is exempt 
from other specific subsections of the Privacy Act.

    Issued in Arlington, Virginia, on November 2, 2007.
Kip Hawley,
Assistant Secretary, Transportation Security Administration.
John Kropf,
Deputy Chief Privacy Officer, Department of Homeland Security.
[FR Doc. E7-21907 Filed 11-8-07; 8:45 am]
BILLING CODE 9110-05-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.